Bug 1558708
| Summary: | selinux blocks pmdagluster | ||
|---|---|---|---|
| Product: | [Fedora] Fedora | Reporter: | Frank Ch. Eigler <fche> |
| Component: | pcp | Assignee: | Lukas Berk <lberk> |
| Status: | CLOSED ERRATA | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
| Severity: | unspecified | Docs Contact: | |
| Priority: | unspecified | ||
| Version: | rawhide | CC: | brolley, fche, jstrunk, lberk, mgoodwin, nathans, scox |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | pcp-4.0.1-1 pcp-4.0.1-1.fc28 pcp-4.0.1-1.fc26 pcp-4.0.1-1.fc27 | Doc Type: | If docs needed, set a value |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-04-03 13:27:01 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
pcp-4.0.1-1.fc28 has been submitted as an update to Fedora 28. https://bodhi.fedoraproject.org/updates/FEDORA-2018-67ae01df6c pcp-4.0.1-1.fc27 has been submitted as an update to Fedora 27. https://bodhi.fedoraproject.org/updates/FEDORA-2018-e0d3cdb266 pcp-4.0.1-1.fc26 has been submitted as an update to Fedora 26. https://bodhi.fedoraproject.org/updates/FEDORA-2018-a88bef9929 pcp-4.0.1-1.fc28 has been pushed to the Fedora 28 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-67ae01df6c pcp-4.0.1-1.fc26 has been pushed to the Fedora 26 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-a88bef9929 pcp-4.0.1-1.fc27 has been pushed to the Fedora 27 testing repository. If problems still persist, please make note of it in this bug report. See https://fedoraproject.org/wiki/QA:Updates_Testing for instructions on how to install test updates. You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2018-e0d3cdb266 pcp-4.0.1-1.fc28 has been pushed to the Fedora 28 stable repository. If problems still persist, please make note of it in this bug report. Looks like there are still issues:
type=USER_CMD msg=audit(1522864273.965:12946): pid=10809 uid=1001 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/lib/pcp/pmdas/gluster" cmd="./In
stall" terminal=pts/0 res=success'
type=CRED_REFR msg=audit(1522864273.966:12947): pid=10809 uid=0 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acc
t="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=USER_START msg=audit(1522864273.966:12948): pid=10809 uid=0 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_open grantors=pam_keyinit,pa
m_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=AVC msg=audit(1522864277.592:12949): avc: denied { search } for pid=11056 comm="gluster" name="glusterfs" dev="vda1" ino=21177864 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864277.592:12949): arch=c000003e syscall=4 success=no exit=-13 a0=7f7c662f3551 a1=7ffc81bfb9e0 a2=7ffc81bfb9e0 a3=9 items=0 ppid=11034 pid=11056 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864277.592:12949): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1522864277.592:12950): avc: denied { search } for pid=11056 comm="gluster" name="glusterfs" dev="vda1" ino=8523839 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864277.592:12950): arch=c000003e syscall=2 success=no exit=-13 a0=55a896a5875c a1=40 a2=180 a3=1 items=0 ppid=11034 pid=11056 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864277.592:12950): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=USER_END msg=audit(1522864277.606:12951): pid=10809 uid=0 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:session_close grantors=pam_keyinit,pam_limits acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=CRED_DISP msg=audit(1522864277.606:12952): pid=10809 uid=0 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/0 res=success'
type=AVC msg=audit(1522864288.225:12953): avc: denied { search } for pid=11060 comm="gluster" name="glusterfs" dev="vda1" ino=21177864 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864288.225:12953): arch=c000003e syscall=4 success=no exit=-13 a0=7f6ff104a551 a1=7fffd6b11d70 a2=7fffd6b11d70 a3=9 items=0 ppid=11034 pid=11060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864288.225:12953): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1522864288.225:12954): avc: denied { search } for pid=11060 comm="gluster" name="glusterfs" dev="vda1" ino=8523839 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864288.225:12954): arch=c000003e syscall=2 success=no exit=-13 a0=555b6fd7075c a1=40 a2=180 a3=1 items=0 ppid=11034 pid=11060 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864288.225:12954): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1522864288.260:12955): avc: denied { search } for pid=11062 comm="gluster" name="glusterfs" dev="vda1" ino=21177864 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_conf_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864288.260:12955): arch=c000003e syscall=4 success=no exit=-13 a0=7fe44f895551 a1=7ffec6454540 a2=7ffec6454540 a3=9 items=0 ppid=11034 pid=11062 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864288.260:12955): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=AVC msg=audit(1522864288.260:12956): avc: denied { search } for pid=11062 comm="gluster" name="glusterfs" dev="vda1" ino=8523839 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:object_r:glusterd_log_t:s0 tclass=dir
type=SYSCALL msg=audit(1522864288.260:12956): arch=c000003e syscall=2 success=no exit=-13 a0=5567e7ec375c a1=40 a2=180 a3=1 items=0 ppid=11034 pid=11062 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)
type=PROCTITLE msg=audit(1522864288.260:12956): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F
type=USER_CMD msg=audit(1522864295.839:12957): pid=11064 uid=1001 auid=1001 ses=118 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='cwd="/var/lib/pcp/pmdas/gluster" cmd=677265702064656E696564202F7661722F6C6F672F61756469742F61756469742E6C6F67 terminal=pts/0 res=success'
Using:
$ rpm -qa | grep pcp
python-pcp-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-libs-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-selinux-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-pmda-dm-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-pmda-gluster-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-conf-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
pcp-system-tools-4.0.2-0.201803310742.git99697ef8.el7.centos.x86_64
Thanks, I've pushed a fix upstream for the additional AVC denials
commit 7b87d011baa1cab70abfbbc83fa970d10c146253 (HEAD -> master, origin/master, origin/HEAD)
Author: Lukas Berk <lberk>
Date: Wed Apr 4 15:12:44 2018 -0400
rhbz1558708 further policy and qa updates
Add glusterd_log_t:dir { search }
Add glusterd_conf_t:dir { search }
pcp-4.0.1-1.fc26 has been pushed to the Fedora 26 stable repository. If problems still persist, please make note of it in this bug report. pcp-4.0.1-1.fc27 has been pushed to the Fedora 27 stable repository. If problems still persist, please make note of it in this bug report. |
git master-ish pcp. Another illustration that many pmdas have diverse needs to connect to things, and probably should just become unconstrained. type=AVC msg=audit(1521578046.908:119687): avc: denied { read } for pid=24448 comm="gluster" name="cli.log" dev="xvda2" ino=25217888 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:glusterd_log_t:s0 tclass=file type=AVC msg=audit(1521578046.908:119687): avc: denied { open } for pid=24448 comm="gluster" path="/var/log/glusterfs/cli.log" dev="xvda2" ino=25217888 scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=unconfined_u:object_r:glusterd_log_t:s0 tclass=file type=SYSCALL msg=audit(1521578046.908:119687): arch=c000003e syscall=2 success=yes exit=5 a0=5582506be75c a1=40 a2=180 a3=676f6c2f7261762f items=0 ppid=24426 pid=24448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null) type=PROCTITLE msg=audit(1521578046.908:119687): proctitle=676C7573746572002D2D786D6C00766F6C756D6500696E666F type=AVC msg=audit(1521578046.913:119688): avc: denied { connectto } for pid=24448 comm="gluster" path="/run/glusterd.socket" scontext=system_u:system_r:pcp_pmcd_t:s0 tcontext=system_u:system_r:glusterd_t:s0 tclass=unix_stream_socket type=SYSCALL msg=audit(1521578046.913:119688): arch=c000003e syscall=42 success=yes exit=0 a0=6 a1=5582512773b8 a2=6e a3=0 items=0 ppid=24426 pid=24448 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="gluster" exe="/usr/sbin/gluster" subj=system_u:system_r:pcp_pmcd_t:s0 key=(null)